Start your day with intelligence. Get The OODA Daily Pulse.

Overview

There are two questions you should be asking yourself about your organization’s insider threat program:

  1. What is the probability that your organization will experience an insider threat? The assumption is that the probability is probably low.  Again, that fateful mental model based on the perception that “the worst-case scenario is also the least probable’ applies to an organization’s efforts to stand up even a minimum viable product (MVP)-level insider threat or counter cyber espionage program.  The reality is that 34% of all breaches in 2018 were caused by insiders (a), yet less than 20% of U.S. organizations possess effective security programs to combat it. (b)
  2. What will be the impact if your organization experiences an insider threat incident or damage linked to insider activity?  “The results range from information leakage and national security breaches to workplace violence and even reputational damage. Insiders’ unintentional actions can be equally damaging. Clearly, a robust insider threat program that protects government resources, employees, and contractors can deliver significant value and reduce associated risks.”  (1)

In this series of posts, we ask the further question:  how can a serious internal commitment to the design process and collective intelligence (aka community-driven insider threat initiatives) give this often ignored sub-sector of risk management the priority it requires within your organization, driven by innovation?

In Part I of this series, we took a look at the Transportation Security Administration (TSA) Insider Threat Roadmap 2020 and advanced analytics.  Following are two more initiatives that are thinking differently about insider threat program implementation through innovative architectures, collective intelligence, advanced analytics, and the use of publicly available information (PAI).  Community-based and partner collaborations up and down the supply chain are also a hallmark of these efforts, as there is a growing acknowledgment that internal-facing and traditionally siloed insider threat efforts are part of the problem.

In Part II, we examine the approaches taken and the resources available at the Carnegie Mellon University Software Engineering Institute (SEI) and the MITRE Center for Threat-Informed Defense (CTID).

Carnegie Mellon University Software Engineering Institute (SEI)

According to the Carnegie Mellon University Software Engineering Institute (SEI) website, the institute:

“…adopts a holistic approach to insider threat research to understand not only the ‘how’ of insider incidents, but also the ‘why.’  In most cases, employees don’t join their organizations with the intent to do harm.  Rather, employees can become motivated to carry out attacks against their employers when they experience a series of stressors, when they exhibit concerning behaviors, and when employers address those behaviors in some maladaptive way. When that happens, employees can become easy and willing targets of pressure from criminals and foreign agents, or they might become disgruntled and careless on the job. A major goal of insider threat research, therefore, is to understand root causes of stressors and concerning behaviors to detect them early and offer employees better help before they commit a harmful act.”

SEI’s Insider Threat research is organized around a concept they call positive deterrence, providing a framework for how best to provide employees positive incentives for reducing insider threat.

Positive Deterrence 

In the SEI Technical Report, The Critical Role of Positive Incentives for Reducing Insider Threats, discusses insider threats from the perspective of “the traditional approach focused on negative incentives that restrict employees to prevent abuse and detects and punishes abuse when it occurs. This approach is based on a negative form of deterrence as promulgated in Deterrence Theory, which says that people obey rules because they fear getting caught and being punished.  Restricting, detecting, and punishing employees reinforces the deterrence (negative) of abuse.

Our extension of security through positive incentives is shown on the left side of [Figure 16 below]. In its current form, as supported by our research, organizational support (including organization justice) is shown as the foundation of positive deterrence.  With this foundation in place, connectedness with co-workers and job engagement serve to strengthen an employee’s commitment to the organization. Organization support and connectedness also strengthen overall engagement in a feedback effect.  This form of positive deterrence complements the use of negative deterrence by reducing the baseline of insider threat in a way that can improve employees’ satisfaction, performance, and commitment to the organization.” (1)

Rethinking Security Strategies 

Again, the SEI captures the nature of research efforts best:  “At the SEI, we help organizations use their data and their resources to get a clearer picture of possible threats in their workforce and in the supply chains and contractors they work with. Our goal is to advance the state of insider threat research through the development of capabilities for preventing, detecting, and responding to evolving cyber and physical threats.

We focus on building repeatable, verified, and context-aware processes and preventative controls based on careful research and empirical evidence. We develop techniques that improve detection through tools that quickly detect patterns and anomalies; that automate prediction of risk and prevention controls; and that quickly and accurately identify indicators of various insider attack types.

The SEI is leading this effort thanks to our unique combination of experience and expertise. Since 2001, we have partnered with government agencies—such as the Department of Defense, the Department of Homeland Security, Secret Service, and many federal agencies—as well as with private industry, academia, and the vendor community. We are also leaders in modeling and simulation, software engineering, cybersecurity, and data science, and we engage in collaborative research relationships with a cadre of multidisciplinary experts in the social and behavioral sciences. As a result, we are the only source for a data-driven, risk-based, socio-technical approach to insider threats. (2)

The SEI Insider Threat Test Dataset

We have a database of over 3,000 insider incidents that we use to characterize the nature of the evolving insider threat problem, develop indicators of insider risk, and prototype and transition technical and administrative controls for insider threat mitigation. In our insider threat lab, we measure the effectiveness of new tools, indicators, and analytic techniques. We’ve developed assessments to help organizations identify their vulnerabilities to insider threats, and several training courses on establishing and operating an insider threat program.

The Insider Threat Test Dataset is a collection of synthetic insider threat test datasets that provide both background and malicious actor synthetic data.  For a direct link to the dataset, go here.

Dataset – Abstract

The CERT Division, in partnership with ExactData, LLC, and under sponsorship from DARPA I2O, generated a collection of synthetic insider threat test datasets. These datasets provide both synthetic background data and data from synthetic malicious actors.

For more background on this data, please see the paper, Bridging the Gap: A Pragmatic Approach to Generating Insider Threat Data.

MITRE and Private Sector Partners Develop Insider Threat Knowledge Base

Launched in February of this year, the Insider Threat Knowledge Base is a research collaboration between MITRE and the MITRE Center for Threat-Informed Defense (CTID).   For readership who are not familiar with MITRE and the federal standard MITRE ATT&CK:

MITRE is a nonprofit organization created to provide engineering and technical guidance to the federal government. The organization originally developed the framework for use in a MITRE research project in 2013 and named for the data it collects, which is Adversarial Tactics, Techniques, and Common Knowledge-or, in acronym form, ATT&CK.

MITRE ATT&CK was released to the public for free in 2015, and today helps security teams in all sectors secure their organizations against known and emerging threats. And while MITRE ATT&CK originally focused on threats against Windows enterprise systems, today it also covers Linux, mobile, macOS, and ICS. (3)

Jon Baker, the Director of Research & Development at the MITRE CTID, in his post “Launching a community-driven insider threat knowledge base” – described CTID’s innovative ‘collective intelligence’ approach to defending against inside threats:

“To advance our collective understanding of insider threats, the Center for Threat-Informed Defense created the Insider Threat TTP Knowledge Base. This collection of tactics, techniques, and procedures (TTPs) used by known insiders in IT environment was developed with support from participants including Citigroup Technology, Inc.CrowdStrike, Inc.HCA — Information Technology & Services, Inc.JPMorgan Chase Bank, N.A.Microsoft Corporation, and Verizon Business Services. With this lexicon of known insider threat TTPs as a foundation, defenders will detect, mitigate, and emulate insider actions on IT systems and stop them.”

Publishing the Knowledge Base is our first step towards establishing a community-wide collaboration to advance our collective understanding of insider threats. Our initial publication is based on an analysis of insider threat case data contributed by our participants and identified 54 techniques that have been used by insiders. As this release is just the first step in establishing a common lexicon for defenders, we also created a supporting methodology and process to allow us to systematically work with the cybersecurity community to develop and expand the Insider Threat TTP KB.

We are actively seeking feedback on this initial release and will continue to evolve it with your support. Your support is critical to establishing an open knowledge base of insider threat TTPs that will empower defenders to detect and mitigate insider threats.

  • Share your use cases with us — How will your organization use this knowledge base? And for those early adopters, what benefits or challenges have you seen?
  • Expand the knowledge base — Contact us to learn more about contributing to the knowledge base.

You can contact us at [email protected] or file issues on our GitHub repository.”

https://oodaloop.com/archive/2022/04/28/is-your-insider-threat-risk-management-program-ripe-for-innovation-part-1/

Related Reading:

Explore OODA Research and Analysis

Use OODA Loop to improve your decision-making in any competitive endeavor. Explore OODA Loop

Decision Intelligence

The greatest determinant of your success will be the quality of your decisions. We examine frameworks for understanding and reducing risk while enabling opportunities. Topics include Black Swans, Gray Rhinos, Foresight, Strategy, Stratigames, Business Intelligence, and Intelligent Enterprises. Leadership in the modern age is also a key topic in this domain. Explore Decision Intelligence

Disruptive/Exponential Technology

We track the rapidly changing world of technology with a focus on what leaders need to know to improve decision-making. The future of tech is being created now and we provide insights that enable optimized action based on the future of tech. We provide deep insights into Artificial Intelligence, Machine Learning, Cloud Computing, Quantum Computing, Security Technology, and Space Technology. Explore Disruptive/Exponential Tech

Security and Resiliency

Security and resiliency topics include geopolitical and cyber risk, cyber conflict, cyber diplomacy, cybersecurity, nation-state conflict, non-nation state conflict, global health, international crime, supply chain, and terrorism. Explore Security and Resiliency

Community

The OODA community includes a broad group of decision-makers, analysts, entrepreneurs, government leaders, and tech creators. Interact with and learn from your peers via online monthly meetings, OODA Salons, the OODAcast, in-person conferences, and an online forum. For the most sensitive discussions interact with executive leaders via a closed Wickr channel. The community also has access to a member-only video library. Explore The OODA Community.

Daniel Pereira

About the Author

Daniel Pereira

Daniel Pereira is research director at OODA. He is a foresight strategist, creative technologist, and an information communication technology (ICT) and digital media researcher with 20+ years of experience directing public/private partnerships and strategic innovation initiatives.